b"         OFFICE OF INSPECTOR GENERAL \n\n\n\n\n                                  Catalyst for Improving the Environment\n\n\nAudit Report\n\n\n\n\n       Information Security Series:\n       Security Practices\n\n       Integrated Contract Management\n       System\n\n       Report No. 2006-P-00010\n\n\n       January 31, 2006\n\x0cReport Contributors: \t    Rudolph M. Brevard\n                          Charles Dade\n                          Neven Morcos\n                          Jefferson Gilkeson\n                          Scott Sammons\n\n\n\n\nAbbreviations\n\nASSERT       Automated Security Self-Evaluation and Remediation Tracking\nC&A          Certification and Accreditation\nEPA          Environmental Protection Agency\nFISMA        Federal Information Security Management Act\nICMS         Integrated Contract Management System\nOARM         Office of Administration and Resources Management\nOIG          Office of Inspector General\nOMB          Office of Management and Budget\nPOA&M        Plan of Action and Milestone\nRTP          Research Triangle Park\n\x0c                       U.S. Environmental Protection Agency                                                  2006-P-00010\n\n                       Office of Inspector General                                                        January 31, 2006\n\n\n\n\n\n                       At a Glance \n\n                                                                            Catalyst for Improving the Environment\n\nWhy We Did This Review              Information Security Series: Security Practices\nAs part of our annual audit of\n                                    Integrated Contract Management System\nthe Environmental Protection\nAgency\xe2\x80\x99s (EPA\xe2\x80\x99s) compliance         What We Found\nwith the Federal Information\nSecurity Management Act             OARM should place greater emphasis on key information system security practices\n(FISMA), we reviewed the            to comply with Federal and Agency information security requirements.\nsecurity practices for a sample     Specifically, we found that OARM\xe2\x80\x99s ICMS, a major application, was operating\nof key Agency information           without (1) current certification and accreditation, (2) contingency plans or testing\nsystems, including the Office       of the plans, and (3) a process to monitor servers for known security vulnerabilities.\nof Administration and               OARM officials could have discovered these noted deficiencies had they\nResources Management\xe2\x80\x99s              implemented procedures to ensure that Federal and Agency information security\n(OARM\xe2\x80\x99s) Integrated Contract        policies and guidelines were followed. As a result, ICMS had security\nManagement System (ICMS).           vulnerabilities, which, if exploited, could have had a serious adverse effect on\n                                    operations, assets, and individuals.\nBackground\n                                    What We Recommend\nFISMA requires agencies to\ndevelop policies and                We recommend that the OARM Information Security Officer:\nprocedures commensurate with\nthe risk and magnitude of harm      \xc2\xbe\t Develop a contingency plan for ICMS and implement a process to ensure the\nresulting from the malicious or        plan is tested at least annually,\nunintentional damage to the         \xc2\xbe\t Implement processes to ensure ICMS production servers are periodically\n\nAgency\xe2\x80\x99s information assets.           monitored for known vulnerabilities, \n\nICMS is the information\nsystem EPA uses to manage its       \xc2\xbe\t Develop a Plan of Action and Milestone in the Agency\xe2\x80\x99s security weakness\n\ncontracts.                             tracking system (ASSERT database) for all noted deficiencies, and \n\n                                    \xc2\xbe\t Develop and implement a plan to re-evaluate system security oversight \n\nFor further information, contact       processes to ensure the above recommendations are uniformly applied to all \n\nour Office of Congressional and\nPublic Liaison at (202) 566-2391.\n                                       general support systems and major applications within OARM. \n\n\nTo view the full report,            OARM agreed with the report\xe2\x80\x99s findings and has indicated that the office has\nclick on the following link:        updated key security documents and started to address several of the identified\nwww.epa.gov/oig/reports/2006/       issues. OARM maintains that the office has processes to ensure that ICMS servers\n20060131-2006-P-00010.pdf\n                                    it controls are monitored for known vulnerabilities. The office indicated many of\n                                    the Office of Inspector General\xe2\x80\x99s concerns would be addressed when OARM\n                                    finalizes its server consolidation project.\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n\n                                                                                        OFFICE OF \n\n                                                                                   INSPECTOR GENERAL\n\n\n\n\n                                         January 31, 2006\n\nMEMORANDUM\n\nSUBJECT:               Information Security Series: Security Practices\n                       Integrated Contract Management System\n                       Report No. 2006-P-00010\n\nFROM:                  Rudolph M. Brevard, Director /s/\n                       Information Technology Audits\n\nTO:                    Luis A. Luna\n                       Assistant Administrator for\n                       Administration and Resources Management\n\nThis is our final report on the information security controls audit of the Office of Administration\nand Resources Management\xe2\x80\x99s Integrated Contract Management System conducted by the Office\nof Inspector General (OIG) of the U.S. Environmental Protection Agency (EPA). This audit\nreport contains findings that describe problems the OIG has identified and corrective actions the\nOIG recommends. This audit report represents the opinion of the OIG, and the findings in this\naudit report do not necessarily represent the final EPA position. EPA managers, in accordance\nwith established EPA audit resolution procedures, will make final determinations on matters in\nthis audit report.\n\nAction Required\n\nThe Office of Administration and Resources Management does not have to provide a response to\nthis report. The Agency\xe2\x80\x99s response to the draft report contained an adequate corrective action\nplan with milestone dates to implement the plan. Accordingly, we are closing this report on\nissuance. We have no objection to further release of this report to the public. For your\nconvenience, this report will be available at http://www.epa.gov/oig.\n\nIf you or your staff have any questions regarding this report, please contact me at\n(202) 566-0893.\n\x0c                                       Table of Contents \n\nAt a Glance\n\nPurpose of Audit\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...                                                                                        1\n\nBackground\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                                                                                              1\n\nScope and Methodology .....................................................................................................               2\n\nICMS\xe2\x80\x99 Compliance with Federal and Agency Security Requirements ...........................                                                3\n\n     Certification and Accreditation \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.. .............................................................                              4\n     Contingency Planning \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.                                                                                   4\n     System Monitoring for Known Vulnerabilities...................................................................                       5\n\nRecommendations...............................................................................................................            5\n\nAgency Comments and OIG Evaluation ............................................................................                           6\n\n\n\nAppendices\nA     Agency Response to Draft Report .............................................................................                       7    \n\n\nB     Distribution ...................................................................................................................   10\n\n\x0cPurpose of Audit\n          Our objective was to determine whether the Office of Administration and\n          Resources Management\xe2\x80\x99s (OARM\xe2\x80\x99s) Integrated Contract Management System\n          (ICMS) complied with Federal and Agency information system security\n          requirements. ICMS automates the Environmental Protection Agency\xe2\x80\x99s (EPA\xe2\x80\x99s)\n          Federal acquisition and contract management processes. It generates solicitations,\n          contract documents, purchase orders, contract modifications, and tasking\n          documents.\n\nBackground\n          We conducted this audit pursuant to Title III of the E-Government Act of 2002,\n          commonly referred to as the Federal Information Security Management Act\n          (FISMA). FISMA requires the Agency to develop policies and procedures\n          commensurate with the risk and magnitude of harm resulting from the malicious\n          or unintentional damage to the Agency\xe2\x80\x99s information assets. EPA\xe2\x80\x99s Chief\n          Information Officer is responsible for establishing and overseeing an Agency-\n          wide program to ensure that the security of its network infrastructure is consistent\n          with these requirements. Program offices are responsible for managing the\n          implementation of these security requirements within their respective\n          organizations.\n\n          Program offices should create a Plan of Action and Milestone (POA&M) when\n          they identify security control weaknesses. The POA&M, which documents the\n          planned remediation process, is recorded in the Agency\xe2\x80\x99s Automated Security\n          Self-Evaluation and Remediation Tracking (ASSERT) tool, which is used to\n          centrally track remediation of weaknesses associated with Information\n          Technology systems. ASSERT also serves as the Agency\xe2\x80\x99s official record for\n          POA&M activity.\n\n          FISMA requires the Inspector General, along with the EPA Administrator, to\n          report annually to the Office of Management and Budget (OMB) on the status of\n          EPA\xe2\x80\x99s information security program. The OIG provided the results of its review\n          to OMB in Report No. 2006-S-00001, Federal Information Security Management\n          Act, Fiscal Year 2005 Status of EPA\xe2\x80\x99s Computer Security Program, issued\n          October 3, 2005.\n\n          During our annual FISMA review, we selected one major application each from\n          five EPA program offices and reviewed the office\xe2\x80\x99s security practices surrounding\n          these applications. Our overall review noted instances where EPA could improve\n          its security practices and the OIG reported the results to EPA\xe2\x80\x99s Chief Information\n          Officer in Report No. 2006-P-00002, EPA Could Improve Its Information Security\n          by Strengthening Verification and Validation Processes, issued October 17, 2005.\n\n\n\n\n                                            1\n\n\x0c         This audit report is one in a series of reports being issued to the five program\n         offices that had an application reviewed. This report addresses findings and\n         recommendations related to information security weaknesses identified in\n         OARM. In particular, this report summarizes our results regarding how OARM\xe2\x80\x99s\n         ICMS complies with Federal and EPA information security policies and\n         procedures. This report also includes our evaluation of how OARM\n         implemented, tested, and evaluated ICMS controls to ensure continued\n         compliance with reviewed Federal and Agency requirements. The Scope and\n         Methodology section contains the specific security objectives audited during this\n         review.\n\nScope and Methodology\n         We conducted our field work from March 2005 to July 2005. Our primary\n         location selected for review was the National Computer Center, Research\n         Triangle Park (RTP), North Carolina. However, EPA uses ICMS in multiple\n         locations other than RTP and we judgmentally selected two additional sites using\n         the application \xe2\x80\x93 EPA Headquarters and Region 3.\n\n         We interviewed Agency officials at all locations and contract employees at the\n         National Computer Center. We reviewed relevant Federal and Agency\n         information security standards. We reviewed application security documentation\n         and training records to determine whether they complied with selected standards.\n         We reviewed system configuration settings and conducted vulnerability testing of\n         servers for known vulnerabilities. We conducted this audit in accordance with\n         Government Auditing Standards, issued by the Comptroller General of the United\n         States.\n\n         We assessed the adequacy of the following security practices for ICMS:\n\n              \xe2\x80\xa2\t Security Certification and Accreditation (C&A) practices: We\n                 reviewed ICMS\xe2\x80\x99 C&A package to determine whether the security plan\n                 was updated and re-approved at least every 3 years and the application\n                 was reauthorized at least every 3 years, as required by OMB Circular\n                 A-130 and EPA policy.\n\n              \xe2\x80\xa2\t Application contingency plans: We reviewed ICMS\xe2\x80\x99 contingency\n                 planning practices to determine whether they complied with\n                 requirements outlined in EPA Directive 2195A1 (EPA Information\n                 Security Manual), National Institute of Standards and Technology\n                 Special Publication 800-34 (Contingency Planning Guide for\n                 Information Technology Systems), and EPA Procedures Document\n                 (Procedures for Implementing Federal Information Technology Security\n                 Guidance and Best Practices).\n\n\n\n\n                                         2\n\n\x0c              \xe2\x80\xa2\t Security controls: We reviewed two areas of security controls:\n                 (1) physical controls, and (2) system vulnerability monitoring. We\n                 evaluated a sub-set of physical controls for selected ICMS server rooms\n                 at the EPA Headquarters and Region 3 offices. We did not test physical\n                 controls at RTP, because this location was undergoing an audit of these\n                 practices. The OIG found instances where EPA could improve its\n                 physical controls at RTP and reported the results in Report No.\n                 2006-P-00005, EPA Could Improve Physical Access and Service\n                 Continuity/Contingency Controls for Financial and Mixed-Financial\n                 Systems Located at its Research Triangle Park Campus, issued\n                 December 14, 2005. We tested OARM\xe2\x80\x99s processes for monitoring the\n                 ICMS resources for known vulnerabilities, as required by Agency\n                 policy, and conducted vulnerability testing of all ICMS production\n                 servers at RTP, EPA Headquarters, and Region 3 offices.\n\n              \xe2\x80\xa2\t Annual Training Requirements: We reviewed whether employees\n                  with significant security responsibilities satisfied annual training\n                  requirements.\n\nICMS\xe2\x80\x99 Compliance with Federal and Agency Security Requirements\n\n         Although we noted instances where ICMS was compliant with some Federal and\n         Agency security requirements, our findings highlighted areas where OARM\n         should place more emphasis to improve security practices surrounding ICMS and\n         to better comply with established requirements. In particular, our review noted\n         that ICMS contained security weaknesses in\n\n              \xe2\x80\xa2\t Timely updating and approving key C&A package documents,\n\n              \xe2\x80\xa2\t Developing and testing the contingency plan, and\n\n              \xe2\x80\xa2\t Monitoring the production servers for known vulnerabilities and\n                 mitigating high-risk vulnerabilities.\n\n         An effective security program helps offices coordinate, implement, and manage\n         security-related activities and resources throughout the organization. Security\n         practices that help ensure the Agency\xe2\x80\x99s network infrastructure is adequately\n         protected include (1) preparing and maintaining an updated C&A package which\n         documents the understanding and testing of implemented security controls\n         necessary to operate an application, (2) documenting and testing the contingency\n         plan to ensure the organization can recover from a disruption in service, and (3)\n         monitoring servers for security vulnerabilities and verifying configuration settings\n         to minimize exploitation from known threats.\n\n         By not providing emphasis in these areas, OARM places the integrity and\n         availability of ICMS at greater risk. For example, our vulnerability test results\n\n                                           3\n\n\x0cidentified where ICMS servers contained weaknesses that would allow an intruder\nto (1) shut down the server and prevent legitimate user access to the system, or\n(2) modify confidential information in the ICMS database on the servers.\nExploiting one of these vulnerabilities could result in reduced integrity of the data\nused by all EPA contracting offices for contract processing and degrade ICMS\xe2\x80\x99\navailability, thereby hindering the contracting officers\xe2\x80\x99 ability to use the\napplication to manage contractor tasking, allocation of funds, and contractor\nefforts. Further, due to the distributed nature of ICMS and the shared\nresponsibility for security of the application and data, a security compromise at\none or more locations could prevent OARM from obtaining an Agency-wide view\nof acquisition activity.\n\nCertification and Accreditation\n\nOARM should implement more comprehensive procedures to ensure that key\nC&A documents are prepared in a timely manner. The C&A package should\ninclude documents such as the most recent system security plan, authorization to\noperate, and the risk assessment. Although we did not find significant\ndeficiencies with the ICMS risk assessment, our review revealed that the ICMS\nsystem owner did not prepare, update, and forward key security documents to\nsenior OARM officials to reauthorize the system for continued operation. During\nfield work, we found that ICMS had an outdated security plan and authorization\nto operate, which expired in March 2005 and February 2005, respectively. These\nkey security documents are needed to determine whether ICMS\xe2\x80\x99 current security\ncontrols are sufficient, and if adjustments to security controls are necessary before\nreauthorizing ICMS for continued operation.\n\nUpon bringing this issue to OARM\xe2\x80\x99s attention, personnel took action to remediate\nthis deficiency and provided us an updated security plan and authorization to\noperate for ICMS.\n\nContingency Planning\n\nOARM could improve its contingency planning for ICMS. OARM had not\ndeveloped a plan for recovering or continuing operations of ICMS should a\nservice disruption occur. Although OARM had established POA&Ms to develop\nand test a contingency plan, over several years, the program office took no action\nto develop a plan.\n\nContingency plans establish the necessary procedures for continuing operations\nfor critical systems and applications following a disaster or loss of infrastructure\nsupport. Testing the plan would enable OARM to become familiar with the\nrecovery steps and help OARM identify where additional emphasis is needed.\n\n\n\n\n                                  4\n\n\x0c        System Monitoring for Known Vulnerabilities\n\n        Although we found the physical controls adequate for the two sites we evaluated,\n        OARM had not implemented processes to ensure that several ICMS servers were\n        monitored for known vulnerabilities. Our results disclosed that OARM had not\n        implemented monitoring for 55 percent (5 of 9) of the reviewed servers. As noted\n        in Table 1, our tests discovered 50 unique, high-risk vulnerabilities on the\n        reviewed servers. In addition, unmonitored servers had, on average, 70 percent\n        more vulnerabilities than monitored servers.\n                          Table 1. High Risk Vulnerabilities Discovered for \n\n                              Monitored Versus Unmonitored Servers\n\n                              Number of      Number of Discovered        Average Number of\n                               Servers          Vulnerabilities        Vulnerabilities per Server\n\n\n            Monitored              4                   16                          4.0\n\n\n           Unmonitored             5                   34                          6.8\n\n\n               Total               9                   50                            -\n\n         Note: The total number of vulnerabilities does not include vulnerabilities identified as\n               Medium or Low Risk or test results described as Informational. For password\n               vulnerabilities, we counted one vulnerability per server, although the server may\n               have had more than one instance of the same vulnerability.\n\n\n        OARM shares responsibility with the regional offices for securing ICMS where\n        the application operates. Ensuring all locations have implemented processes to\n        routinely monitor servers for known security vulnerabilities and verifying the\n        configuration of security settings helps reduce security incidents from occurring.\n        With a formalized oversight process to ensure these functions are being\n        performed, management would have greater assurance that OARM mission-\n        critical information systems are adequately protected against known threats and\n        computer attacks.\n\nRecommendations\n        We recommend that the Office of Administration and Resources Management,\n        Information Security Officer:\n\n           1.\t Develop a contingency plan for ICMS and implement a process to ensure\n               the plan is tested at least annually.\n\n           2.\t Implement processes to ensure ICMS production servers are periodically\n               monitored for known vulnerabilities.\n\n\n\n                                               5\n\n\x0c            3.\t Develop a POA&M in the Agency\xe2\x80\x99s security weakness tracking system\n                (ASSERT database) for all noted deficiencies.\n\n            4.\t Develop and implement a plan to re-evaluate system security oversight\n                processes to ensure the above recommendations are uniformly applied to\n                all general support systems and major applications within OARM.\n\nAgency Comments and OIG Evaluation\n\n         OARM concurred with many of the report\xe2\x80\x99s recommendations and outlined\n         actions that would address several of the findings. However, OARM maintains\n         that processes already exist to ensure that ICMS servers are periodically\n         monitored for known vulnerabilities, citing on-going activities for servers under\n         the direct control of OARM. As indicated above, OARM shares the responsibility\n         for securing ICMS with the regional local area network managers operating the\n         application. Agency policy indicates that the application owner is responsible for\n         implementing processes to secure mission-critical applications. Although OARM\n         may share the performance of the security responsibilities with the local area\n         network managers, we believe the onus is with OARM, as the application owner,\n         to implement an oversight process to ensure that security practices are\n         implemented and effective.\n\n         OARM indicated that many of our concerns would be addressed once the office\n         finalizes its server consolidation project. OARM indicated that this effort would\n         bring ICMS\xe2\x80\x99 current distributed server architecture, spread out in the regional\n         offices, to a centralized environment. OARM also provided additional\n         information regarding the status of key ICMS security documents and the training\n         status for personnel with significant security responsibilities. Where appropriate,\n         we modified the report.\n\n         OARM\xe2\x80\x99s complete response is included as Appendix A.\n\n\n\n\n                                          6\n\n\x0c                                                                                                  Appendix A\n\n                     Agency Response to Draft Report\n\nMEMORANDUM\n\nSUBJECT:         Response to Draft Audit Report\n                 Information Security Series: Security Practices\n                 Office of Administration and Resources Management\n                 Assignment No. 2005-000661\n\nFROM:            Luis A. Luna, Assistant Administrator /s/\n\nTO:              Rudolph M. Brevard, Director\n                 Information Technology Audits\n\n         OARM appreciates the opportunity to respond to this Draft Audit Report. Our response is attached. We\nhave already addressed several of the issues identified in the report. The security of OARM\xe2\x80\x99s information\ntechnology resources is a critical task that is taken very seriously.\n\n      If you or your staff has any questions, regarding the attached response, please contact Leo Gueriguian,\nOARM Information Management Official (IMO), at (202) 564-0388 or gueriguian.leo@epa.gov of my staff.\n\n\n\n\n                                                        7\n\n\x0c                       OARM Response to Draft Audit Report (Assignment No. 2005-000661)\n\n                                             December 20, 2005 \n\n\n         The Office of Administration and Resources Management (OARM) respectfully submits the following\nresponses to the Office of the Inspector General (OIG) regarding the audit report titled Information Security Series:\nSecurity Practices, Office of Administration and Resource Management, Assignment No. 2005-000661, dated\nDecember 2, 2005. This audit was conducted pursuant to the Federal Information Security Management Act\n(FISMA). The Integrated Contracts Management System (ICMS) was one of several EPA major applications\nreviewed in 2005 to meet FISMA requirements.\n\n         The following are the findings and recommendations made in the audit report and OARM\xe2\x80\x99s responses:\n\n1. Certification and Accreditation (C&A)\n\n         OARM acknowledges that the ICMS security plan and authorization to operate were expired at the time of\nthe Office of the Inspector General (OIG) audit. In addition, OARM concurs with the recommendation to update the\nsecurity plan and authorization. This recommendation has already been completed.\n\n        The ICMS security plan was updated and approved June 30, 2005. A new Authorization to Operate memo\nwas signed June 30, 2005. These documents were forwarded to OIG on July 5, 2005.\n\n2. Contingency Planning\n\n          OARM acknowledges that ICMS does not have a final contingency plan. In September 2005, OARM\ndeveloped a draft contingency plan and conducted a tabletop exercise. The contingency plan will be finalized as\npart of the Office of Acquisition Management\xe2\x80\x99s (OAM) server consolidation project. This effort will bring ICMS\xe2\x80\x99\ncurrent distributed server architecture, spread out in the Regional Offices, to a centralized environment. In the event\nof a service disruption, an alternate location shall provide the necessary ICMS functionality for the Agency. In\naddition, this solution will also place the entire ICMS operational environment under OARM\xe2\x80\x99s control, which will\nfacilitate monitoring of security settings and testing for known vulnerabilities. We believe this effort, along with\nannual testing, will also satisfy the OIG recommendation to develop and test a contingency plan, with which OARM\nconcurs. This plan will be completed by September 1, 2006.\n\n3. System Monitoring for Known Vulnerabilities\n\n         OAM monitors production servers, under its control (RRB OAM server room, R6 and R9), on a daily basis.\nMonitoring is primarily for operational status, space availability, backup logs, console logs, and Oracle instances.\nBindview reports are also run periodically, and Symantech anti-virus software runs on servers and desktops. In\naddition, Patchlink has been implemented on the desktops within OARM. OAM is in the process of developing a\nChange Management Process to assure that all OAM\xe2\x80\x99s infrastructure components have an appropriate, up to date\nsecurity configuration. In conclusion, OARM feels that processes already exist to ensure that ICMS servers are\nperiodically monitored for known vulnerabilities. Regardless, under the consolidated server project, OAM will have\ncontrol of all ICMS servers and will be able to continue the system monitoring. The new system monitoring\nprocesses and change management process will be in place by September 1, 2006.\n\n4. Security Training\n\n         The Office of Policy and Resources Management (OPRM) maintains overall management for the OARM\nIT security program. OPRM tracks and monitors the status of OARM staff\xe2\x80\x99s completion of required IT security\ntraining. Specifically, the Information Security Officer for OARM checks the status of the required training for\nOARM staff periodically throughout the year.\n\n         The Office of Environmental Information (OEI) maintains the US EPA Security Training database, which\ntracks the completion of required IT security training by EPA staff. For FY05, twelve OARM employees were\n\n\n                                                          8\n\n\x0cidentified as having significant IT security responsibilities in this database. Three employees were incorrectly\nidentified as having significant security responsibilities and did not need to take any additional training. All of the\nremaining nine OARM employees completed the required IT security training for FY05. Unfortunately, two staff\nmembers were incorrectly identified as not having completed the training in the database. In conclusion, all OARM\nemployees with significant security responsibilities fulfilled the training requirement for FY05. The Information\nSecurity Officer (ISO) for OARM manages this required training program and will ensure that the tracking of this\ntraining will be accurate in the future.\n\nRemaining recommendations\n\n1. Develop Plans of Actions and Milestones, in the Agency's security weakness tracking system (ASSERT\ndatabase), for all noted deficiencies.\n\n         OAM has an open Plan of Actions & Milestone (POA&M) for developing and documenting a log review\nprocess. POA&Ms will be created for revising and testing the Contingency Plan, to align this plan with the\nconsolidated server environment, and for developing and documenting a Change Management Process for OAM\xe2\x80\x99s\ninfrastructure.\n\n2. Develop and implement a plan to re-evaluate system security oversight processes to ensure the above\nrecommendations are uniformly applied to all general support systems and major applications within OARM.\n\n          For the specific findings with which OARM concurs, these issues are believed to be isolated occurrences,\nrather than a problem with overall security oversight processes. However, the ISO for OARM will conduct a review\nof OARM\xe2\x80\x99s major IT systems to validate that the recommendations of this report have already been completed.\nThis review will be completed by March 31, 2006.\n\n\n\n\n                                                           9\n\n\x0c                                                                                Appendix B\n\n                                    Distribution\nOffice of the Administrator\nAssistant Administrator for Administration and Resources Management\nRegional Administrator, Region 3\nAssociate Director, Technology and Information Security Staff, Office of Environmental\n    Information\nAudit Followup Coordinator, Office of Administration and Resources Management\nAudit Followup Coordinator, Region 3\nAudit Followup Coordinator, Technology and Information Security Staff\nAgency Followup Official (the CFO)\nAgency Followup Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for Public Affairs\nInspector General\n\n\n\n\n                                             10\n\n\x0c"